5. Remove main account from admin group, leaving in users group only. Reboot. Log into main account again.

6. Try to write file or delete from Windows or root. No can do. User policy dictates this. However, try this in Program files and it works.

So, I make an easy way to (sort of) pull in the default settings from the setup security template, then change a few things like give the Users group modify permissions to program files (and also the main users documents too). This now keeps the windows data from standard user messing with, yet allows more loose control to add programs.

Next add SuRun, and now you can do all the items with the Secondary Login that were not possible without.

I have found (and I am no expert, just like to tinker) that the Security Setup.inf template knows of everything in a default installation. So any directory like maybe c:\adobe will not be 'restricted' because it is not specifically stated so. At least it appears to be that way.

Maybe someone can state experience with why the registry is unlocked at least in HKLM/Software, yet mmc consoles are not allowed (in user mode). I find that to be strange that the registry is open.

Anyway, there is a lot to tweak in this method. I have made a simple method to quickly fill out a few different .ini files with ones preferences and then roll them into the custom .inf file.

Does anyone see this as a flawed method?

And why bother with this? Because using the mmc console is dreadfully slow. I seek to make easier method. And because I know many who do not use LUA and would not wish to go through the pain involved of learning, lol. And the top reason, LUA is so restrictive that many complaints. But this way more almost normal type events can happen because Program Files, maybe most common used to write to directory is more open.